Malicious PDF — malware analysis report

Static analysis result for SHA-256 21c5d44c5c5aa824…

MALICIOUS

PDF

41.6 KB Created: 2021-05-20 20:05:03 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: bca483b37e2b50f83632596c5bc9a3dd SHA-1: 6df30d55fe1c54f039d99417f7196fd564fc3194 SHA-256: 21c5d44c5c5aa82401ecc3683463aabe71de4937c6d66ceb4836723513d72c2f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a prominent call-to-action related to obtaining free virtual currency, a common lure for scams. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests a potential attempt to hide malicious content, and the ML classifier also flagged the document as malicious. While no scripts were directly extracted, the presence of external links and the lure indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7580

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-get-free-robux-without-download-apps-or-survey-game-hack
    • http://www.vermaagri.com/uploaded_files/userfiles/files/2021-free-spins-coin-master_GM406889139.pdf
    • http://www.vermaagri.com/uploaded_files/userfiles/files/coin-master-cards_GM406889139.pdf
    • http://www.vermaagri.com/uploaded_files/userfiles/files/free-robux-games-that-actually-work-2021_GM431946152.pdf
    • http://www.vermaagri.com/uploaded_files/userfiles/files/coin-master-hack-activegamer_GM406889139.pdf
    • http://www.vermaagri.com/uploaded_files/userfiles/files/buy-robux-free_GM431946152.pdf
    • https://direct-link.net
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000035e2.bin
77792dbed2e529ff10ecdb2a2a57a40d531b0c4fce43962251bbe899c2864508		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35E2 26736 bytes
font_01_sfnt_off000072b2.bin
e9630f3bb738ae3bc329a423cf069c8035d70ce2227e3557c42815f85ad3284f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72B2 2852 bytes
font_02_sfnt_off00007c73.bin
a2325719e7076f7032f87f435cdda87ec67b0b67db20430c9492992df634e2b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C73 19880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.